I have a question of how aireplay-ng works when it deauths. I mean, it is really easy to disconnect another client from an AP: you just need to run the deauth command (in aireplay-ng) once, specifying to send deauths 100 times or so.

3 Answers
3

802.11 deauthentication attacks can occur due to the way 802.11 frames are structured. The 802.11 spec controls not only the flow of packets between the client and the access point, but also carries other information such as frame type, power management, protocol version, and encryption schema used.wifi-planet .com understanding 802.11.

Deauth attacks by exploiting the 802.11 frame control for if a client is associated securely to the AP. The attacker send a series of "deauth" packets spoofing to be the unauthenticated client to the AP and checks to make sure the AP acknowledges that it received the packet. The attacker also send a series of packets to the client pretending to be the AP saying "hey you need to reauthenticate!". Then the client and the AP say "hey, We need to authenticate! you told me you're no longer authenticated! (this is due to the attacker's packets). Then the two reauthenticate, allowing the attacker to capture the complete handshake. Aireplay Documentation

Thank you for the answer! So it doesn´t seem that the hardware vendors will enable protection from deautentication for a while? I mean, now you just have to go to a public network in the town and just kick people out from the public APs. It shouldn´t be that easy!
–
RoxMar 5 '12 at 7:45

1

@Rox, no, hardware vendors can't stop this, since it is part of the spec. I'm not convinced it is that big a deal. Affected people will just re-connect. I haven't seen any indication that the problem you mention is widespread in practice, so I'm not inclined to view it as a big deal.
–
D.W.Mar 6 '12 at 20:27

It's pretty simple. The specification allows the access point to send a special packet, a "deauth" packet, to any particular client. The "deauth" packet tells the client, "please disconnect from me, then re-connect and re-authenticate". A perfectly reasonable set of functionality for the protocol to support.

The problem is that "deauth" packets are not authenticated or protected by crypto, even if you've enabled crypto on your wireless network. Therefore, a malicious attacker can send a spoofed "deauth" packet that pretends to have come from the access point to any individual client. That client will think the "deauth" packet came from the access point, and try to reauthenticate.

Why does this matter? Well, for most purposes it doesn't matter. But in some cases there are attacks that the attacker can do only if the attacker can eavesdrop or tamper with the initial handshake. What's an attacker to do if he shows up after the client has already performed the initial handshake? Why, he can simply send the client a spoofed "deauth" packet and force the client into re-authenticating and doing the initial handshake over again -- and now the attacker can do whatever he wanted to do during the initial handshake. So the "deauth" packets give the attacker a little bit of extra control, which helps in some attack scenarios.

Isn´t it a stupid standard (IEEE) that the AP does not send encrypted deauth packets? The problem would be solved if it did, wouldn`t it?
–
RoxMar 6 '12 at 8:00

@Rox, gee, I don't know if I'd call this aspect of the standard stupid. That might be going a bit far. From a security perspective, unencrypted deauth packets would be nothing more than a minor nuisance, if the rest of the standard was secure (if observing the initial handshake didn't help the attacker to attack the system). Deauth packets become a more serious concern only if there are ways for the attacker to exploit the initial handshake somehow.
–
D.W.Mar 6 '12 at 20:25

If deauth is only used to capture handshake then its no big deal that it is possible because if an attacker listens in on the com he will capture the handshake within 1 or 2 days anyway. This is why it is important to have 13 char password because that would take several billion years to crack if it was captured anyway.